The Internet provides access to various pieces of information, applications, services, and vehicles for publishing information. Today, the Internet has significantly changed the way we access and use information and services (e.g., banking, e-commerce, e-trading, and the like). In order to access such services, users often share personal information with service providers. Similarly, confidential information of companies is stored on systems that are connected to the Internet.
Recently, the frequency and complexity level of cyber-attacks has increased with respect to attacks performed against all organizations including, but not limited to, cloud providers, enterprises, organizations, and network carriers. Some complex cyber-attacks, known as advanced persistent attack campaigns, utilize different types of attack techniques and target network, application, and end-point resources in order to achieve the attack's goals, thereby compromising the entire security framework of the network. The intention of an advanced persistent attack campaign is usually to steal data rather than to cause direct damage to the network or organization. These attacks typically target organizations in sectors with high-value information such as the national defense, manufacturing, retail, and financial industries.
To secure their systems, infrastructure, and services, enterprises utilize many different security products provided by different vendors. Typically, such products are utilized to detect and/or mitigate different vulnerabilities or threats. As an example, an enterprise network can implement one security product for an intrusion detection system (IDS) and another product for detecting malware download. Particularly, a typical enterprise network will be protected by firewalls, anti-virus software, malware detection software, authentication and authorization systems, intrusion detection, anti-phishing systems, network and end point behavior analysis, data leak prevention systems, web application firewalls (WAFs), and so on.
The security products are typically deployed in different segments of the enterprise network, e.g., at different servers, end-points (client computers), at networks, and so on. Further, different products, provided by different vendors, for protecting against the same type of threat can be typically utilized in combination to enhance the security. For example, IDS software provided by both Cisco® and McAfee® can be installed to protect end-points and servers in the enterprise network.
Security products typically utilize network behavior rules, attack signatures, malware and virus patterns and the like (collectively referred to as “security rules”) to detect and/or mitigate a threat. Examples for such security rules include, e.g., IDS network attack signatures rules, anti-virus and malware patterns, reputation threat records, WAF rules, network behavior analysis rules, and so on. Each such rule is typically specific to a vendor providing the solution.
One of the challenges security architects and managers face is the multiplicity of security products and vendors. Each such product has a unique interface and implements a different type of technology, configurations, debug methods, and different security rules. The myriad of different security solutions and, specifically, their security rules pose a great challenge to protecting an enterprise network from cyber-attacks. Other than the complexity in configuring and monitoring the different solution, there is a real challenge to understand the effectiveness of each security rule and, consequently, each solution. That is, it cannot be easily determined which solution, for example, is better over the other to detect a specific type of threat.
Consequently, integrating new solutions is complex and time consuming, and requires a large security team with extensive expertise to master product complexity. Obviously, the administrative and maintenance labor comes at the expense of the design security defenses.
As a result, trying to enforce an overall effective security policy for the enterprise network is a very difficult task given the different nature of security rules. For example, assuming two IDS products are deployed in the network, and one detects a threat while the other does not. As such, there is an ambiguity as to whether the threat is real. Therefore, current solutions are inefficient when utilized to enforce an overall security policy.
In addition, the reliance on a specific security product typically discourages administrators to replace one product with another. Because, typically in the chain of enforcing an overall security policy, an input of one product is an output security rule of another product. Therefore, replacing one such product in the chain would require replacing or at least reconfiguring of other products.
Another challenge posed by the myriad of security products is that their security rules are frequently updated. Thus, such rules can be classified a-priori (e.g., mapped into different threat groups, representing different threats types each group if rule was meant to address), which at best, can be accurate until the next update. Further, a single security product can contain thousands of and more security rules. Thus, manual classification of all rules across all products is a tedious and time-consuming task.
It would therefore be advantageous to provide a solution that would overcome the deficiencies of the prior art.